CVE Catalog

CVE-2026-57997

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

The Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

Risk Assessment

The organization is at risk of unauthorized access to the Strapi system via forged JWT tokens, potentially leading to account takeover and privilege escalation.

Recommendation

Explicitly configure the plugin::users-permissions.jwt.algorithm parameter to a secure algorithm (e.g., RS256) and update the users-permissions plugin to the latest patched version.

Original NVD description (English source)

Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS